FreeNas8.0 + transmission+Mldonkey

1.http://192.168.1.166

2.mount HD

3. Setting HD Permissions

3.Setting Service

4.Check CIFS & SSH

5.Install Transmission

[root@freenas] ~#mount -uw /

[root@freenas] ~#pkg_add -r transmission-daemon

[root@freenas] ~#cp /usr/local/etc/rc.d/transmission /conf/base/etc/rc.d/

[root@freenas] ~#cd /mnt/temp

[root@freenas] /mnt/temp#mkdir transmission-config watch download

[root@freenas] /mnt/temp#vi /conf/base/etc/rc.conf

************

transmission_enable="YES"

transmission_conf_dir="/mnt/temp/transmission-config"
transmission_watch_dir="/mnt/temp/watch"
transmission_download_dir="/mnt/temp/download"
transmission_user="www"

*************

[root@freenas] /mnt/temp#chown -R www:www transmission-config

[root@freenas] /mnt/temp#chown -R www:www download

[root@freenas] ~#reboot  //不重新啟動 Trasmission可能無法啟動

[root@freenas] ~#mount -uw /

[root@freenas] ~#cd /conf/base/etc/rc.d
[root@freenas] /conf/base/etc/rc.d# sh transmission stop

[root@freenas] /conf/base/etc/rc.d#

[root@freenas] /conf/base/etc/rc.d#cd /mnt/temp/transmission-config
[root@freenas] /mnt/temp/transmission-config#vi settings.json  //如果沒啟動過transmission不會有該設定檔
"rpc-whitelist": "192.168.1.* ",

[root@freenas] /mnt/temp/transmission-config#sh /conf/base/etc/rc.d/transmission start

6.Install Mldonkey

[root@freenas] ~# pkg_add -r http://freebsd.csie.ncu.edu.tw/FreeBSD/ports/amd64/packages-current/net-p2p/mldonkey-3.1.0.tbz

[root@freenas] ~# reboot //不重新啟動可能有無法啟動

[root@freenas] ~# mount -uw /

[root@freenas] ~# mkdir /mnt/temp/Emule
[root@freenas] ~# mkdir /mnt/temp/Emule/temp
[root@freenas] ~# cd /.mldonkey
[root@freenas] ~/.mldonkey#vi downloads.ini
**************
allowed_ips=["192.168.1.0/24";]
...
temp_directory="/mnt/temp/Emule/temp"
...
dirname="/mnt/temp/Emule/incoming/files"
strategy=incoming_files
priority=0

dirname="/mnt/temp/Emule/incoming/directories"

strategy=incoming_directories
priority=0

*************

[root@freenas] ~# mlnet

CentOS5.5+Postfix+Sasl認證(公司內部Mail不對外)

環境:
CentOS 5.5
Kernel 2.6.18-128.el5

套件:
Postfix(SMTP)
Saslauthd(SMTP AUTH)
dovecot(POP3)

一.
查看是否已安裝有sendmail(移除sendmail)
[root@CentOS ~]# rpm -qa |grep sendmail
sendmail-cf-8.13.8-8.el5
sendmail-8.13.8-8.el5
[root@CentOS ~]# rpm -e sendmail
error: Failed dependencies:
        /usr/sbin/sendmail is needed by (installed) redhat-lsb-3.1-12.3.EL.el5.centos.i386
        smtpdaemon is needed by (installed) mdadm-2.6.9-3.el5.i386
        smtpdaemon is needed by (installed) fetchmail-6.3.6-1.1.el5_3.1.i386
        smtpdaemon is needed by (installed) mutt-1.4.2.2-3.0.2.el5.i386

[root@CentOS ~]#rpm -e --nodeps sendmail



二.
安裝Postfix(yum)
[root@CentOS etc]# yum install postfix
.......
設定/etc/postfix/main.cf
[root@CentOS etc]#vi /etc/postfix/main.cf
-------------------修改部分------------------
myhostname = mail.XD.com #Postfix郵件主機名稱
mydomain = XD.com #Domain名稱
myorigin = $mydomain                           #發信端機
inet_interfaces = all
mydestination=$mydomain #可以讓client MUA接收的目的地位置(#信件的目的網域符合將信收下來)
mynetworks = 127.0.0.0/8      #可以Relay的條件
-------------------------------------------------

判斷是否已安裝sasl認證
[root@CentOS etc]# rpm -qa |grep sasl
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3


若已安裝sasl後繼續設定psotfix main.cf
[root@CentOS etc]#vi /etc/postfix/main.cf
-------------------------新增部分------------------------------- 
smtpd_sasl_auth_enable=yes
smtpd_sasl_security_options=noanonymous
broken_sasl_auth_clients=yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
#因為permit_mynetworks為localhost,smtpd_sender_restrictions可以越來設定內部寄件者進行SMTP認證,smtpd_client_restrictions也可達成
--------------------------------------------------------------------
檢查是否安裝dovecot(POP3 IMAP) 
[root@CentOS sasl2]# rpm -qa |grep dovecot
dovecot-1.0.7-7.el5


若已安裝進行修改dovecot設定檔
[root@CentOS sasl2]#vi /etc/dovecot.conf
-------------------------------修改部分-------------------------
protocols = imap imaps pop3 pop3s #拿掉# 註解
--------------------------------------------------------------------
啟動dovecot
[root@CentOS sasl2]# service dovecot start
Starting Dovecot Imap:                                     [  OK  ]

啟動sasl認證
[root@CentOS sasl2]# service saslauthd start
Starting saslauthd:                                        [  OK  ]
啟動Postfix
[root@CentOS sasl2]# service postfix start
Starting postfix:                                        [  OK  ]
參考: 
http://www.spps.tp.edu.tw/documents/memo/postfix/postfix.htm

CentOS5.5+ChangePassword(SAMBA Client 自行變更密碼)

環境:
CentOS 5.5
Kernel 2.6.18-128.el5

套件:
ChangePasswor
官方網站:http://changepassword.sourceforge.net/
To use changepassword you will need to have:

• Apache Web Server with cgi-bin enabled (Version 1.3.20 or later)
• GNU GCC (Version 2.95.3 or later)
• glibc (Version 2.2.5 or later)

 一.
 [root@CentOS ~]#cd /usr/src
 [root@CentOS src]#wget http://prdownloads.sourceforge.net/changepassword/changepassword-0.9.tar.gz?download
 [root@CentOS src]#tar -xzvf changepassword-0.9.tar.gz
.....
[root@CentOS src]#cd changepassword-0.9
[root@CentOS  changepassword-0.9]# ./configure --enable-cgidir=/var/www/cgi-bin --enable-smbpasswd=/etc/samba/smbpasswd --disable-squidpasswd
.......
[root@CentOS  changepassword-0.9]#make && make install

CentOS5.5+Kaspersky Security for Internet Gateway

環境:


CentOS 5.5(final)

Kernel 2.6.30.5



套件:

SQUID 3.1.7

(http://www.squid-cache.org/Versions/v3/3.1/)

Kaspersky Security for Internet Gateway 5.5.51

(http://www.t-techftp.com/Products/Kaspersky/Internet_gateway/For_ProxyServer/For_Linux/kav4proxy-5.5-51.i386.rpm)

Kaspersky Security for Internet Gateway 30day trial_key申請位置

(http://www.kaspersky.com/kaspersky_security_internet_gateway_trial_download)



一.SQUID安裝

下載檔至 /usr/src/

[root@CentOS src]#wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.7.tar.bz2

將檔案squid-3.1.7.tar.bz2解壓縮

[root@CentOS src]#tar xjf squid-3.1.7.tar.bz2

[root@CentOS src]#cd squid-3.1.7

[root@CentOS squid-3.1.7]#./configure --enable-icap-client --disable-loadable-modules --enable-icap-support



(--disable-loadable-modules沒加上去,下面進行make編譯會出現"../libltdl/libltdl/lt_error.h:35:31: error: libltdl/lt_system.h: No such file or directory")

(--enable-icap-support沒加上去 Kaspersky ICAP Server啟動或出現錯誤)

[root@CentOS squid-3.1.7]#make && make install

squid初始化

[root@CentOS squid-3.1.7]#/usr/local/squid/sbin/squid -z

WARNING: Cannot write log file: /usr/local/squid/var/logs/cache.log

/usr/local/squid/var/logs/cache.log: Permission denied

messages will be sent to 'stderr'.

2010/08/30 15:33:17
Creating Swap Directories

從新設定/usr/local/squid/var/logs/權限

[root@CentOS squid-3.1.7]#chmod 777 /usr/local/squid/var/logs/

[root@CentOS squid-3.1.7]#/usr/local/squid/sbin/squid -z

[root@CentOS squid-3.1.7]#/usr/local/squid/sbin/squid -s

[root@CentOS ~]# netstat -tln grep 3128

tcp 0 0 :::3128 :::* LISTEN

Squid預設port是3128,出現Listen表示已經啟用了

於Client端IE 掛上proxy IP:3128 即可使用



二.安裝 Kaspersky Security for Internet Gateway

下載檔至 /usr/src/

[root@CentOS ~]#cd /usr/src

[root@CentOS src]#wget http://www.t-techftp.com/Products/Kaspersky/Internet_gateway/For_ProxyServer/For_Linux/kav4proxy-5.5-51.i386.rpm

[root@CentOS src]# rpm -ivh kav4proxy-5.5-51.i386.rpm

Preparing... ########################################### [100%]

1:kav4proxy ########################################### [100%]

Kaspersky Anti-Virus for Proxy Server has been installed

successfully but needs to be properly configured before using.

Unfortunately, RPM is not able to run scripts interactively, so

please run

/opt/kaspersky/kav4proxy/lib/bin/setup/postinstall.pl

script by yourself to configure it.



[root@CentOS src]#/opt/kaspersky/kav4proxy/lib/bin/setup/postinstall.pl

Configuring KeepUp2Date proxy settings.

If you use an http proxy server to access the Internet, you need

to tell the Kaspersky Anti-Virus for Proxy Server KeepUp2Date

component about it. Please enter the address of your http proxy

server in one of the following forms, http://proxyIP:port or

http://user:pass@proxyIP:port. If you don't have or need a proxy

server to access the Internet, enter 'no' here [no]:



no

Latest anti-virus bases are an essential part of your anti-virus

protection. Do you want to download the latest anti-virus bases

right now to insure your application is up to date? (If you

answer 'yes', make sure you are connected to the Internet):

[yes]:

yes

Kaspersky KeepUp2Date 5.5.50/RELEASE build #43

Copyright (C) Kaspersky Lab, 1997-2007.

Portions Copyright (C) Lan Crypto

Configuration file: /etc/opt/kaspersky/kav4proxy.conf

=== Update task started

Update source selected 'http://dnl-eu4.kaspersky-labs.com/'

Downloading file 'index/master.xml.klz'

.......

開始進行Kaspersky anti-virus Base更新

Update 'Kaspersky Anti-Virus for Proxy Server' completed successfully

Do you want to activate regular updates? [y/N]:y

Default Webmin configuration file was not found. This means that

either Webmin is not installed at all, or is installed into a

non-default location.



Webmin (www.webmin.com) is a web-based interface for system

administration for various Unix components. If you install it,

you'll be able to configure and use Kaspersky Anti-Virus through

the web interface. If you want to use this functionality, but

haven't installed Webmin yet, you can skip this stage and

install this module later using Webmin's built-in installation

procedure.

If you have Webmin installed in a non-default path, please enter

the path to the location of the Webmin configuration file, or

leave blank to skip?



Setting up protection with Kaspersky Anti-Virus for Proxy

server.



The installation program can automatically configure your

ICAP-enabled Squid to be protected by Kaspersky Anti-Virus ICAP

server.



1) No integration

2) Configure to work with remote proxy

3) Configure Squid manually

4) Squid (/usr/local/squid/etc/squid.conf)



Please Choose 1-4

4



Configuring Squid to use Kaspersky Anti-Virus

ICAP-Server



Proxy server binary path: /usr/local/squid/sbin/squid

Proxy server configuration file: /usr/local/squid/etc/squid.conf



Please enter 'Y' to confirm that you want to protect this proxy

server with Kaspersky Anti-Virus. Enter 'N' if proxy server has

been detected incorrectly, or if you do not want to protect it.

[Y]:

Y

Stopping ICAP server: kavicapserver stopped



Starting ICAP server: kavicapserver started



Reconfigure Squid - 2010/08/30 17:15:02
WARNING: 'icap_class' is depricated. Use 'adaptation_service_set' instead

2010/08/30 17:15:02
WARNING: 'icap_class' is depricated. Use 'adaptation_service_set' instead

2010/08/30 17:15:02
WARNING: 'icap_access' is depricated. Use 'adaptation_access' instead

2010/08/30 17:15:02
WARNING: 'icap_access' is depricated. Use 'adaptation_access' instead

success

(這部份的WARNING訊息不管他也不會對系統有影響,修改方式對squid.conf內容進行修改)

Kaspersky Anti-Virus for Proxy Server is installed.

Configuration file was installed in

/etc/opt/kaspersky/kav4proxy.conf

Binaries were installed in /opt/kaspersky/kav4proxy/bin



[root@CentOS src]#vi /usr/local/squid/etc/squid.conf

.....................

# Added by Kaspersky Anti-Virus installer

icap_enable on

icap_send_client_ip on

icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod

icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod

icap_class ic_kav_req is_kav_req

icap_class ic_kav_resp is_kav_resp

icap_access ic_kav_resp allow all

icap_access ic_kav_req allow all !acl_kav_GET

# /Added by Kaspersky Anti-Virus installer

......................



修改後



# Added by Kaspersky Anti-Virus installer

icap_enable on

icap_send_client_ip on

icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod

icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod

adaptation_service_set ic_kav_req is_kav_req

adaptation_service_set ic_kav_resp is_kav_resp

adaptation_access ic_kav_resp allow all

adaptation_access ic_kav_req allow all !acl_kav_GET

# /Added by Kaspersky Anti-Virus installer

......................



開機自動啟動

[root@CentOS src]#vi /etc/rc.d/rc.local

-----------------

/usr/local/squid/sbin/squid -s

-----------------

Clam AntiVirus+HAVP

Clam AntiVirus


(http://sourceforge.net/projects/clamav/files/clamav/)

HAVP

(http://www.server-side.de/download/havp-0.92.tar.gz)



一.安裝 Clam AntiVirus

[root@CentOS ~]#cd /usr/src

[root@CentOS src]#wget http://sourceforge.net/projects/clamav/files/clamav/0.96.2/clamav-0.96.2.tar.gz/download



.....



[root@CentOS src]#groupadd clamav && useradd -g clamav -M clamav

[root@CentOS src]#tar zxvf clamav-0.96.2.tar.gz

[root@CentOS src]# cd clamav-0.96.2

[root@CentOS clamav-0.96.2]#./configure

(請先安裝zlib and zlib-devel)

....

[root@CentOS clamav-0.96.2]#make && make install

.....

[root@CentOS clamav-0.96.2]#mkdir /var/log/clamav

[root@CentOS clamav-0.96.2]#chown clamav:clamav /var/log/clamav

[root@CentOS clamav-0.96.2]#cp /usr/local/etc/clamd.conf /usr/local/etc/clamd.conf.bak



[root@CentOS clamav-0.96.2]#vi /usr/local/etc/clamd.conf

修改部分



===========================================

#Example

LogFile /var/log/clamav/clamav.log


LogVerbose yes


LogTime yes


PidFile /var/run/clamd.pid


DatabaseDirectory /usr/local/share/clamav

===========================================

[root@CentOS clamav-0.96.2]#vi /usr/local/etc/freshclam.conf

(設定freshclam.conf)

===========================================

#Example

DatabaseDirectory /usr/local/share/clamav


UpdateLogFile /var/log/clamav/freshclam.log


LogSyslog yes


LogVerbose yes

===========================================



[root@CentOS clamav-0.96.2]#/usr/local/bin/freshclam

(執行freshclam病毒碼更新)



二.安裝HAVP

[root@CentOS src]#wget http://www.server-side.de/download/havp-0.92.tar.gz

[root@CentOS src]#tar zxvf havp-0.92.tar.gz

....

[root@CentOS src]#cd havp-0.92

[root@CentOS havp-0.92]#./configure

(yum install gcc-c++)

[root@CentOS havp-0.92]#make && make install

[root@CentOS havp-0.92]#groupadd havp && useradd -g havp -M havp

[root@CentOS havp-0.92]#chown havp:havp /var/log/havp /var/run/havp

[root@CentOS havp-0.92]#vi /usr/local/etc/havp/havp.config

===========================================

#REMOVETHISLINE deletem

ENABLECLAMLIB true

CLAMDBDIR /usr/local/share/clamav

TEMPDIR /tmp

SCANIMAGES false #(不使用圖片掃瞄 )

# TRANSPARENT true (若要單獨使用 HAVP 當 Proxy 則拿掉註解)

# PARENTPROXY 127.0.0.1 (若有 ParentProxy 就拿掉這兩行 , 跟上面這行擇一使用)

# PARENTPORT 3128

......

三.(使用 1G 硬碟空間建立虛擬磁碟)

[root@CentOS havp-0.92]#dd if=/dev/zero of=/root/havp_tmp.img bs=1024K count=1 seek=1024



[root@CentOS havp-0.92]#mkfs.ext2 /root/havp_tmp.img



[root@CentOS havp-0.92]#mount -o loop,mand /root/havp_tmp.img /var/tmp/havp

[root@CentOS havp-0.92]#chown havp:havp /var/tmp/havp

[root@CentOS havp-0.92]#vi /etc/rc.d/rc.local

(開機啟動虛擬硬碟)







mount -o loop,mand /root/havp_tmp.img /var/tmp/havp



[root@CentOS havp-0.92]#vi /etc/ld.so.conf





/usr/local/lib





[root@CentOS havp-0.92]#ldconfig

(更新 shared libraries 資料庫 (for ClamAV) )

[root@CentOS havp-0.92]#cp /usr/src/havp-0.92/etc/init.d/havp /etc/init.d

[root@CentOS havp-0.92]#/etc/init.d/havp start

[root@CentOS havp-0.92]#vi /etc/rc.d/rc.local



/etc/init.d/havp start



[root@CentOS havp-0.92]#iptables -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 8080



測試網頁:http://www.eicar.org/anti_virus_test_file.htm

不過這好想是讓人心安的防毒 ,我試著從網路找尋 2010病毒包

http://rs568.rapidshare.com/files/395560382/528.zip

果然很順利的讓我下載下來了....

CentOS5.5(final)+L7-filter

環境:


OS:CentOS5.5 release (Final)

Kernel:2.6.18-194.el5

iptables:iptables v1.3.5



安裝套件:

linux-2.6.30.5.tar.bz2

(http://ftp.isu.edu.tw/pub/Linux/kernel/v2.6/linux-2.6.30.5.tar.bz2)

netfilter-layer7-v2.22.tar.gz

(http://sourceforge.net/projects/l7-filter/files/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz/download)

l7-protocols-2009-05-28.tar.gz

(http://sourceforge.net/projects/l7-filter/files/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz/download)

iptables-1.4.6.tar.bz2

(http://www.netfilter.org/projects/iptables/files/iptables-1.4.6.tar.bz2)



其他:

L7測試相容性表:

http://l7-filter.sourceforge.net/kernelcompat



作業前準備:

關閉SELinux

[root@CentOS ~]# vi /etc/sysconfig/selinux

# Ts file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - SELinux is fully disabled.

SELINUX=enforcing

# SELINUXTYPE= type of policy in use. Possible values are:

# targeted - Only targeted network daemons are protected.

# strict - Full SELinux protection.

SELINUXTYPE=targeted


修改SELINUX=enforcing→SELINUX=disabled



一.將所有套件下載至/usr/src/


二.編譯核心

[root@CentOS src]# tar xf linux-2.6.30.5.tar.bz2

[root@CentOS src]# tar xzf netfilter-layer7-v2.22.tar.gz



patch kernel

[root@CentOS src]#cd linux-2.6.30.5

[root@CentOS linux-2.6.30.5]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

.....

[root@CentOS linux-2.6.30.5]#cp /boot/config-`uname -r` .config

(複製現行核心設定檔 )

[root@CentOS linux-2.6.30.5]#make menuconfig

(若無安裝gcc、ncurses-devel無法make menuconfig)

.....



* "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options")

* "Network packet filtering framework" (Networking → Networking support → Networking Options)

* "Netfilter Xtables support" (on the same screen)

* "Netfilter connection tracking support" (... → Network packet filtering framework → Core Netfilter Configuration), select "Layer 3 Independent Connection tracking"

* "Connection tracking flow accounting" (on the same screen)

* And finally, "Layer 7 match support"

* Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them.





* "layer7" match support (需要 Netfilter connection tracking support 才會出現)

* IPv4 connection tracking support (required for NAT)



勾選部分參考

http://charlothuang.blogspot.com/2010/02/l7-filter-on-centos-54.html

http://sacs.twgg.org/content/l7-filter-centos-52



[root@CentOS linux-2.6.30.5]#make

....

[root@CentOS linux-2.6.30.5]#make modules_install

....

[root@CentOS linux-2.6.30.5]#make install

....

[root@CentOS linux-2.6.30.5]#vi /boot/grub/grub.conf

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE: You have a /boot partition. This means that

# all kernel and initrd paths are relative to /boot/, eg.

# root (hd0,0)

# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00

# initrd /initrd-version.img

#boot=/dev/hda

default=1

timeout=5

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title CentOS (2.6.30.5 )

root (hd0,0)

kernel /vmlinuz-2.6.30.5 ro root=/dev/VolGroup00/LogVol00

initrd /initrd-2.6.30.5.img

title CentOS (2.6.18-194.el5)

root (hd0,0)

kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00

initrd /initrd-2.6.18-194.el5.img



修改部分

default=1→default=0

title CentOS (2.6.30.5 )→title CentOS (2.6.30.5 inculde l7-filter)



二.安裝iptables 1.46

[root@CentOS ~]#cp /etc/init.d/iptables /etc/init.d/iptables.bak

(備份iptables script)

[root@CentOS ~]#yum remove iptables

(移除舊版本iptables)

.....

[root@CentOS ~]# cd /usr/src

[root@CentOS src]#

[root@CentOS src]#patch -p1 < /netfilter-layer7-v2.21/iptables-1.3-for-kernel-pre2.6.20-layer7-2.21.patch

.....

[root@CentOS src]# tar xjf iptables-1.4.6.tar.bz2

[root@CentOS src]#cp netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* iptables-1.4.6/extensions/

[root@CentOS src]#cd iptables-1.4.6/





[root@CentOS iptables-1.4.6]#./configure --with-ksource=~/linux/linux-2.6.30.5

[root@CentOS iptables-1.4.6]#make

[root@CentOS iptables-1.4.6]#make install



[root@CentOS ~]#cp /etc/init.d/iptables.bak /etc/init.d/iptables

(還原腳本)

三.安裝規則分析表

[root@CentOS iptables-1.4.6]#cd ../

[root@CentOS src]#tar xzf l7-protocols-2009-05-28.tar.gz

[root@CentOS src]#cd l7-protocols-2009-05-28

[root@CentOS l7-protocols-2009-05-28]#make install



四.設定NAT

[root@CentOS ~]#vi /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux

#

# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and

# sysctl.conf(5) for more details.



# Controls IP packet forwarding

net.ipv4.ip_forward = 0



# Controls source route verification

net.ipv4.conf.default.rp_filter = 1



# Do not accept source routing

net.ipv4.conf.default.accept_source_route = 0

.....................

修改部分

net.ipv4.ip_forward = 0→net.ipv4.ip_forward = 1



#[root@CentOS ~]#iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE

[root@CentOS ~]#/vi /etc/sysconfig/iptables

# Generated by iptables-save v1.3.5 on Thu Aug 26 11:52:40 2010

*nat

:PREROUTING ACCEPT [10:1270]

:POSTROUTING ACCEPT [1:40]

:OUTPUT ACCEPT [0:0]

-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE

COMMIT



*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-OUTPUT -o eth0 -j ACCEPT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

----------以上修改後規則(藍字為增加部份)-----------



五.測試SKYPE、MSN、HTTP、Yahoo messenger

支援軟體 參考http://l7-filter.sourceforge.net/protocols



(一.)在尚未套用規則軟體界可使用















(二.)

套用以下規則

iptables -t mangle -A PREROUTING -m layer7 --l7proto http -j DROP

iptables -t mangle -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP

iptables -t mangle -A PREROUTING -m layer7 --l7proto yahoo -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto skypeout -j DROP

iptables -t mangle -A PREROUTING -m layer7 --l7proto skypetoskype -j DROP

註: iptables -t mangle -A PREROUTING -m layer7 --l7proto skypeout -j DROP


skypeout該筆規則會導致網路速度變慢,雖然官方有提醒:


This is slow, but not as bad as you might think 但是在使用上出現網頁異常慢,甚至有無法現象狀況(測試部分有telnet ftp都無法連線